FCC proposes requirements for emergency alert system participants to report cybersecurity incidents 

FCC proposes requirements for emergency alert system participants to report cybersecurity incidents 

The Federal Communications Commission (FCC) published Wednesday a notice in the Federal Register proposing requirements for emergency alert system (EAS) participants to report compromises of their equipment, communications systems, and services to the commission. The notice also requires EAS participants to report any incident of unauthorized access of their EAS equipment, communications systems, or services to the FCC through the Network Outage Reporting System (NORS) within 72 hours of when they knew or should have known that an incident has occurred, and provide details concerning the incident and requiring that mobile devices only present wireless emergency alerts (WEA) alerts from valid base stations. 

The FCC additionally seeks comment on whether and how to promote the operational readiness of EAS. It also seeks comment to refresh the record on previously proposed changes to the WEA infrastructure functionality rules, and on how FCC’s proposals in the NPRM may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well as on the scope of the commission’s relevant legal authority.

The notice requires EAS participants and commercial mobile service (CMS) providers that participate in WEA to annually certify having a cybersecurity risk management plan in place and to employ sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems. It also lays down requirements for participating CMS providers to take steps to ensure that only valid alerts are displayed on consumer devices. These requirements would further protect the nation’s communications systems from cybersecurity threats.

With the notice of proposed rulemaking, the commission seeks comments on the proposed rules and any suitable alternatives, with comments due on or before Dec. 23, and reply comments due on or before Jan. 23, 2023. 

The comments should address whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, the accuracy of the Commission’s burden estimates, and ways to enhance the quality, utility, and clarity of the information collected. They must also address ways to minimize the burden of the collection of information on the respondents. The move would include use of automated collection techniques or other forms of information technology, and a mechanism to further reduce the information collection burden on small business concerns with fewer than 25 employees. 

Data collected by the Public Safety and Homeland Security Bureau during a nationwide EAS test last August revealed that over 5,000 emergency alert system participants were using outdated software or using equipment that no longer supported regular software updates. Moreover, in equipment operational readiness, the test also revealed that an appreciable number of EAS participants were unable to participate in testing due to equipment failure. This was despite receiving advanced notice that the test was going to be conducted.

“The Commission, therefore, believes the information revealed in the nationwide EAS test signals that we should take action to ensure and enhance the security of the EAS and WEA,” the notice identified. “In the NPRM, the Commission acts to improve the security and reliability of the EAS and WEA by proposing and seeking comment on rules promoting the operational readiness of EAS equipment, improving awareness of unauthorized access to EAS equipment, communications systems, or services, protecting the nation’s alerting systems through the development, implementation, and certification of a cybersecurity risk management plan and displaying only valid WEA messages on mobile devices,” it added.

The notice said that the FCC seeks comment on whether a compliance timeframe of 30 days from publication in the Federal Register of notice that the Office of Management and Budget (OMB) has completed its review of the modified information collection to improve the Commission’s visibility into the repair or replacement of non-operational EAS equipment would not impose a burden on small entities. “Small and other EAS Participants currently make entries in their broadcast station logs and cable system records showing the date and time equipment was removed and restored to service, and therefore already have processes and procedures in place to record information about the operational status of their EAS equipment in station logs that could be utilized for the proposed notification requirement,” it added. 

Additionally, in the event, that the FCC was to alternatively require this notification to be provided through NORS, the requirement would become effective within 30 days from publication in the Federal Register of notice that the OMB has approved the modified information collection or upon publication in the Federal Register of a Public Notice announcing that NORS is technically capable of receiving such notifications, whichever is later. Similarly, this requirement should not impose a burden on small entities and since EAS participants are already likely to be using NORS. 

The notice said that the requirement for EAS participants to report any incident of unauthorized access to its EAS equipment, communications systems, or services would be effective 60 days from publication in the Federal Register of notice that the OMB has approved the modified information collection. “Since we consider the requirement to report unauthorized access similar to the commission’s false alert reporting requirement, there are likely to be compliance synergies for small and other EAS Participants, and less of a burden than there would be in the absence of the similarity,” it added. 

The Federal Register notice added that “we, therefore, seek comment in the NPRM on whether an EAS Participant’s process for ascertaining whether an incident of unauthorized access of its EAS equipment, communications systems, or services has occurred and reporting it to the Commission entails a level of effort comparable to compliance with the Commission’s false alert reporting requirement.”

To further explore the impact of the cybersecurity risk management plan requirement proposed in the NPRM which requires small and other EAS participants and participating CMS providers to create, implement, and annually update a cybersecurity risk management plan and submit an annual certification attesting to compliance with the requirement, the FCC has sought comment on steps that it could take to limit various burdens. In particular, the FCC requests comments on whether the steps that it describes for EAS participants and participating CMS providers to submit their risk management plans are the most efficient way to implement a certification requirement, the notice identified. 

The FCC said in the NOPR that it also proposes to require that each plan include security controls sufficient to ensure the confidentiality, integrity, and availability (CIA) of the EAS. “While we believe there are numerous methods to satisfy this aspect of the requirement, we have proposed to allow the requirement to be satisfied by providing evidence of the successful implementation of an established set of cybersecurity best practices, such as applicable Center for Internet Security (CIS) Critical Security Controls or the Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Baseline,” the notice added. 

“We believe adopting this flexible approach will allow EAS Participants and Participating CMS Providers to develop a plan that is appropriate for their organization’s size and available resources, while still ensuring that the plan results in ongoing and material improvements in EAS and WEA security,” according to the notice. “The Commission anticipates that this flexibility will reduce the costs imposed on small business EAS Participants and Participating CMS Providers, which will have different cybersecurity needs than larger EAS Participants and Participating CMS Providers, respectively.”

In August, the FCC urged communications providers participating in the emergency alert system to take appropriate measures to safeguard and protect their equipment. In addition, the communications agency warned against risks impacting devices publicly accessible from the Internet. The FCC warning at the time followed a similar warning from the Federal Emergency Management Agency (FEMA) after it became aware of specific vulnerabilities in emergency alert system encoder/decoder devices. 

At the time, FEMA said that the security gaps, if not updated to the most recent software versions, could allow an actor to issue emergency alert system warnings over the host infrastructure.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related